DataDog
diff --git a/‎config/_default/menus/main.en.yaml‎
Lines changed: 14 additions & 9 deletions b/‎config/_default/menus/main.en.yaml‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎content/en/account_management/saml/_index.md‎
Lines changed: 11 additions & 51 deletions b/‎content/en/account_management/saml/_index.md‎
Lines changed: 11 additions & 51 deletions
diff --git a/‎content/en/account_management/saml/configuration.md‎
Lines changed: 101 additions & 0 deletions b/‎content/en/account_management/saml/configuration.md‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎static/images/account_management/saml/saml_configure.png‎
276 KB b/‎static/images/account_management/saml/saml_configure.png‎
276 KB
diff --git a/‎static/images/account_management/saml/saml_enable.png‎
-82.2 KB b/‎static/images/account_management/saml/saml_enable.png‎
-82.2 KB
diff --git a/‎static/images/account_management/saml/saml_enable_cropped.png‎
-171 KB b/‎static/images/account_management/saml/saml_enable_cropped.png‎
-171 KB
diff --git a/‎static/images/account_management/saml/saml_enabled.png‎
-24.9 KB b/‎static/images/account_management/saml/saml_enabled.png‎
-24.9 KB
@@ -8361,51 +8361,56 @@ menu:
       identifier: account_management_saml
       parent: account_management
       weight: 4
+    - name: Configuring SAML
+      url: account_management/saml/configuration/
+      identifier: account_management_saml_configuration
+      parent: account_management_saml
+      weight: 401
     - name: User Group Mapping
       url: account_management/saml/mapping/
       identifier: account_management_saml_mapping
       parent: account_management_saml
-      weight: 401
+      weight: 402
     - name: Active Directory
       url: account_management/saml/activedirectory/
       identifier: account_management_saml_activedirectory
       parent: account_management_saml
-      weight: 402
+      weight: 403
     - name: Auth0
       url: account_management/saml/auth0/
       identifier: account_management_saml_auth0
       parent: account_management_saml
-      weight: 403
+      weight: 404
     - name: Entra ID
       url: account_management/saml/entra/
       identifier: account_management_saml_entra
       parent: account_management_saml
-      weight: 404
+      weight: 405
     - name: Google
       url: account_management/saml/google/
       identifier: account_management_saml_google
       parent: account_management_saml
-      weight: 405
+      weight: 406
     - name: LastPass
       url: account_management/saml/lastpass/
       identifier: account_management_saml_lastpass
       parent: account_management_saml
-      weight: 406
+      weight: 407
     - name: Okta
       url: account_management/saml/okta/
       identifier: account_management_saml_okta
       parent: account_management_saml
-      weight: 407
+      weight: 408
     - name: SafeNet
       url: account_management/saml/safenet/
       identifier: account_management_saml_safenet
       parent: account_management_saml
-      weight: 408
+      weight: 409
     - name: Troubleshooting
       url: account_management/saml/troubleshooting/
       identifier: account_management_samle_troubleshooting
       parent: account_management_saml
-      weight: 409
+      weight: 410
     - name: SCIM
       url: account_management/scim/
       parent: account_management
 
@@ -28,38 +28,15 @@ Configuring [SAML (Security Assertion Markup Language)][1] for your Datadog acco
 
 ## Configuring SAML
 
-1. To begin configuration, see your IdP's documentation:
-
-    * [Active Directory][10]
-    * [Auth0][11]
-    * [Google][13]
-    * [Microsoft Entra ID][12]
-    * [NoPassword][14]
-    * [Okta][15]
-    * [SafeNet][16]
-
-2. In the Datadog app, hover over your username in the bottom left corner and select Organization Settings. Select [Login Methods][17] and click on **Configure** under SAML.
-
-3. Upload the IdP metadata from your SAML identity provider by clicking the **Choose File** button. After choosing the file, click **Upload File**.
-
-**Note:** The IdP metadata must contain ASCII characters only.
-
-4. Download Datadog's [Service Provider metadata][18] to configure your IdP to recognize Datadog as a Service Provider.
-
-5. After you upload the IdP metadata and configure your IdP, enable SAML in Datadog by clicking the **Upload and Enable** button.
-    {{< img src="account_management/saml/saml_enable_cropped.png" alt="Configure SAML by uploading your IdP metadata" >}}
-    
-6. After uploading the IdP metadata, return to the **Login Methods** page and turn SAML `on` by default. 
-
-**Note**: To configure SAML for a multi-org, see [Managing Multiple-Organization Accounts][21].
+See [Configuring Single Sign-On With SAML][2] for instructions.
 
 ## Using SAML
 
 After SAML is configured in Datadog and your IdP is set up to accept requests from Datadog, users can log in.
 
 ### SP-initiated login
 
-SP-initiated, or Service Provider-initiated, means login initiated from Datadog. Users log in through the **Single Sign-on URL** shown in the status box at the top of the [SAML Configuration page][19]. The **Single Sign-on URL** is also displayed on the [Team page][20]. Loading this URL initiates a SAML authentication against your IdP. **Note**: This URL only displays if SAML is enabled for your account and you are using SP-initiated login.
+SP-initiated, or Service Provider-initiated, means login initiated from Datadog. Users log in through the **Single Sign-on URL** shown in the status box at the top of the [SAML Configuration page][4]. Loading this URL initiates a SAML authentication against your IdP. **Note**: This URL only displays if SAML is enabled for your account and you are using SP-initiated login.
 
 {{< img src="account_management/saml/saml_enabled_cropped.png" alt="Confirmation that SAML Enabled" >}}
 
@@ -83,7 +60,7 @@ When a login occurs, a SAML Assertion containing user authorization is sent from
 
 * Assertions must be signed.
 * Assertions can be encrypted, but unencrypted assertions are accepted.
-* Reference [Datadog's Service Provider metadata][18] for more information. You must be signed in to Datadog to access the file.
+* Reference [Datadog's Service Provider metadata][3] for more information. You must be signed in to Datadog to access the file.
 
 ### Supported attributes
 
@@ -115,9 +92,9 @@ If **sn** and **givenName** are provided, they are used to update the user's nam
 
 ## Additional features
 
-To map attributes in your identity provider's response to Datadog roles and teams, see [SAML group mapping][22].
+To map attributes in your identity provider's response to Datadog roles and teams, see [SAML group mapping][5].
 
-The following features can be enabled through the [SAML Configuration dialog][19]:
+The following features can be enabled through the [SAML Configuration dialog][4]:
 
 **Note:** You must have Admin permissions to see the SAML Configuration dialog.
 
@@ -145,7 +122,7 @@ If you do not use the updated SP metadata, Datadog is not able to associate the
 
 ### SAML strict
 
-You can make your organization SAML Strict by disabling other login method types in the **Login Methods** UI. When this option is configured, all users must, by default, log in with SAML. An existing username/password or Google OAuth login does not work. This ensures that all users with access to Datadog must have valid credentials in your company's identity provider/directory service to access your Datadog account. Org administrators can set per-user [overrides][23] to allow certain users to be SAML Strict exempt.
+You can make your organization SAML Strict by disabling other login method types in the **Login Methods** UI. When this option is configured, all users must, by default, log in with SAML. An existing username and password, or Google OAuth login, does not work. This ensures that all users with access to Datadog must have valid credentials in your company's identity provider or directory service to access your Datadog account. Org administrators can set per-user [overrides][6] to allow certain users to be SAML Strict exempt.
 
 ### Self-updating Datadog SP metadata
 
@@ -158,25 +135,8 @@ Certain Identity Providers (such as Microsoft's ADFS) can be configured to pull
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
-[2]: /help/
-[3]: https://learn.microsoft.com/en-us/entra/architecture/auth-saml
-[4]: https://auth0.com/docs/protocols/saml-protocol
-[5]: https://cloud.google.com/architecture/identity/single-sign-on
-[6]: https://support.logmeininc.com/lastpass/help/lastpass-admin-toolkit-using-single-sign-on-sso
-[7]: https://developer.okta.com/docs/concepts/saml/
-[8]: https://thalesdocs.com/sta/operator/applications/apps_saml/index.html
-[9]: /account_management/users/default_roles/
-[10]: /account_management/saml/activedirectory/
-[11]: /account_management/saml/auth0/
-[12]: /account_management/saml/entra/
-[13]: /account_management/saml/google/
-[14]: /account_management/saml/nopassword/
-[15]: /account_management/saml/okta/
-[16]: /account_management/saml/safenet/
-[17]: https://app.datadoghq.com/organization-settings/login-methods
-[18]: https://app.datadoghq.com/account/saml/metadata.xml
-[19]: https://app.datadoghq.com/saml/saml_setup
-[20]: https://app.datadoghq.com/account/team
-[21]: /account_management/multi_organization/#setting-up-saml
-[22]: /account_management/saml/mapping/
-[23]: /account_management/login_methods/#reviewing-user-overrides
+[2]: /account_management/saml/configuration
+[3]: https://app.datadoghq.com/account/saml/metadata.xml
+[4]: https://app.datadoghq.com/organization-settings/login-methods/saml
+[5]: /account_management/saml/mapping/
+[6]: /account_management/login_methods/#reviewing-user-overrides
@@ -0,0 +1,101 @@
+---
+title: Configuring Single Sign-On With SAML
+description: Configure SAML authentication for Datadog with identity providers like Active Directory, Auth0, Google, Okta, and Microsoft Entra ID for secure single sign-on.
+disable_toc: false
+further_reading:
+- link: "/account_management/saml/"
+  tag: "Documentation"
+  text: "Single Sign-On With SAML"
+- link: "account_management/saml/mapping/"
+  tag: "Documentation"
+  text: "SAML Group Mapping"
+algolia:
+  tags: ['saml']
+---
+
+## Overview
+
+This page covers how to enable single sign-on (SSO) with SAML in Datadog, as well as how enterprise customers can enable multiple SAML identity providers (IdPs).
+
+**Notes**: 
+
+{{% site-region region="us,us3,us5,eu,ap1,ap2" %}}
+- If you don't have SAML enabled on your Datadog account, reach out to [support][1] to enable it.
+- This documentation assumes that you already have a SAML Identity Provider (IdP). If you do not have a SAML IdP, there are several IdPs that have integrations with Datadog such as [Active Directory][9], [Auth0][3], [Google][4], [LastPass][5], [Microsoft Entra ID][2], [Okta][6], and [SafeNet][7].
+- SAML configuration requires [Datadog Administrator][8] access, or the `Org Management` permission if you're using custom roles.
+{{% /site-region %}}
+
+{{% site-region region="gov" %}}
+- This documentation assumes that you already have a SAML Identity Provider (IdP). If you do not have a SAML IdP, there are several IdPs that have integrations with Datadog such as [Active Directory][9], [Auth0][3], [Google][4], [LastPass][5], [Microsoft Entra ID][2], [Okta][6], and [SafeNet][7].
+- SAML configuration requires [Datadog Administrator][8] access, or the `Org Management` permission if you're using custom roles.
+{{% /site-region %}}
+
+## Configuring SAML
+
+1. To begin configuration, see your IdP's documentation:
+
+    * [Active Directory][9]
+    * [Auth0][10]
+    * [Google][12]
+    * [Microsoft Entra ID][11]
+    * [LastPass][13]
+    * [Okta][14]
+    * [SafeNet][15]
+
+2. Download Datadog's [Service Provider metadata][17] to configure your IdP to recognize Datadog as a Service Provider.
+
+3. In Datadog, hover over your username in the bottom left corner and select **Organization Settings**. Select [**Login Methods**][16] and click **Configure** under SAML.
+
+4. Click **Add SAML**.
+
+5. In the configuration modal:
+    * Create a user-friendly name for this SAML provider. The name appears to end users when they choose a login method.
+    * Upload the IdP metadata from your SAML identity provider by clicking **browse files** or dragging and dropping the XML metadata file onto the modal.
+      <br>
+      <div class="alert alert-info">The IdP metadata must contain ASCII characters only.</a></div>
+
+    {{< img src="account_management/saml/saml_configure.png" alt="Configure SAML by uploading your IdP metadata" style="width:100%;" >}}
+
+6. Click **Save**.
+
+**Note**: To configure SAML for a multi-org, see [Managing Multiple-Organization Accounts][18].
+
+## Configuring multiple SAML providers
+
+Enterprise customers can have multiple SAML configurations per organization (up to three at the same time). This feature simplifies identity management across complex environments, such as during IdP changes, mergers, or contractor onboarding.
+
+To configure additional SAML providers:
+
+1. Navigate to **Organization Settings > Login Methods**. Under **SAML**, click **Update**, then **Add SAML**.
+2. In the configuration modal:
+
+    - Create a user-friendly name for this SAML provider. The name appears to end users when they choose a login method.
+      <br>
+      <div class="alert alert-info">All users can see and access all configured IdPs; there is no way to assign specific user groups to specific configurations. Setting clear and descriptive names for each provider helps users select the appropriate IdP during login. Also note that there is no way to set a default configuration.</a></div>
+    - Upload the IdP metadata from your SAML identity provider by clicking **browse files** or dragging and dropping the XML metadata file onto the modal.
+4. Click **Save**.
+
+### Role mapping with multiple SAML providers
+
+If you use SAML [role mapping][19] or [team mapping][20] and want to use the same mappings in any additional providers you add, make sure the attributes in the new IdP(s) match what is defined in your mappings. If you add a new IdP, make sure to either use the same attribute names as your existing IdP, or add new mappings that align with the new IdP's attributes to ensure roles and teams are assigned correctly when users log in with different IdPs.
+
+[1]: /help/
+[2]: https://learn.microsoft.com/en-us/entra/architecture/auth-saml
+[3]: https://auth0.com/docs/protocols/saml-protocol
+[4]: https://cloud.google.com/architecture/identity/single-sign-on
+[5]: https://support.logmeininc.com/lastpass/help/lastpass-admin-toolkit-using-single-sign-on-sso
+[6]: https://developer.okta.com/docs/concepts/saml/
+[7]: https://thalesdocs.com/sta/operator/applications/apps_saml/index.html
+[8]: /account_management/users/default_roles/
+[9]: /account_management/saml/activedirectory/
+[10]: /account_management/saml/auth0/
+[11]: /account_management/saml/entra/
+[12]: /account_management/saml/google/
+[13]: /account_management/saml/lastpass/
+[14]: /account_management/saml/okta/
+[15]: /account_management/saml/safenet/
+[16]: /account_management/login_methods/
+[17]: https://app.datadoghq.com/account/saml/metadata.xml
+[18]: /account_management/multi_organization/#setting-up-saml
+[19]: /account_management/saml/mapping/#map-saml-attributes-to-datadog-roles
+[20]: /account_management/saml/mapping/#map-saml-attributes-to-teams